Re: Publishing Nimda Logs

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 8 May 2002 Richard.Smith () predictive com wrote: 

> Why not publish the list and only include the source netblock. That way
> your still getting the info out there, but your not allowing a script
> kiddie to simply cut and paste your host list into a bot script. 

        This has to be the best compromise on the matter I've seen to
date.  One could list the netblocks and their respective cognizant
provider and also list the number of systems within that netblock that are
still issuing Nimda-infected scans.

        This approach certainly solves the DHCP-assigned IP address
objection.  Additionally, it renders the collected data at a sufficiently
high level so that anyone who complains that such a list only aids the
black hats (which I personally contest, but that's beside the point) will
have no genuine argument. 

        Superior idea, Richard.  I give it a thumbs-up.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `------ Dead I Am The One Exterminating Sun. ------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE82hZ1GI2IHblM+8ERAp7pAJ43bsvLNUhgEfhll/I9+YvDlCGMSwCgml6h
0lqJdhK/0biykgt+qPUwJ6Q=
=tSBY
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com